Update

schmurky · schmurky · commit 813bdc60d079 · 2025-05-20T14:56:16.000+01:00
diff --git a/defender-xdr/advanced-hunting-alertevidence-table copy.md b/defender-xdr/advanced-hunting-alertevidence-table copy.md
diff --git a/defender-xdr/advanced-hunting-alertevidence-table.md b/defender-xdr/advanced-hunting-alertevidence-table.md
@@ -32,7 +32,7 @@ ms.date: 03/28/2025
 
 The `AlertEvidence` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft  Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table.
 
-This advanced hunting table is populated by records from Microsoft Defender for Endpoint. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Endpoint in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+This advanced hunting table is populated by records from various Microsoft Defender services. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
diff --git a/defender-xdr/advanced-hunting-alertinfo-table.md b/defender-xdr/advanced-hunting-alertinfo-table.md
@@ -34,6 +34,8 @@ ms.date: 03/28/2025
 ## Get access
 To use advanced hunting or other [Microsoft Defender XDR](microsoft-365-defender.md) capabilities, you need an appropriate role in Microsoft Entra ID. [Read about required roles and permissions for advanced hunting](custom-roles.md).
 
+This advanced hunting table is populated by records from various Microsoft Defender services. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
 Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. [Read about managing access to Microsoft Defender XDR](m365d-permissions.md).
 
 ## AlertInfo
diff --git a/defender-xdr/advanced-hunting-assignedipaddresses-function.md b/defender-xdr/advanced-hunting-assignedipaddresses-function.md
@@ -28,9 +28,6 @@ ms.date: 03/28/2025
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-
-
-
 Use the `AssignedIPAddresses()` function in your [advanced hunting](advanced-hunting-overview.md) queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. 
 
 This function returns a table with the following columns:
diff --git a/defender-xdr/advanced-hunting-behaviorentities-table.md b/defender-xdr/advanced-hunting-behaviorentities-table.md
@@ -38,6 +38,8 @@ The `BehaviorEntities` table in the [advanced hunting](advanced-hunting-overview
 
 Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. [Read more about behaviors](/defender-cloud-apps/behaviors)
 
+This advanced hunting table is populated by records from Microsoft Defender for Cloud Apps. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
diff --git a/defender-xdr/advanced-hunting-behaviorinfo-table.md b/defender-xdr/advanced-hunting-behaviorinfo-table.md
@@ -39,6 +39,9 @@ The `BehaviorInfo` table in the [advanced hunting](advanced-hunting-overview.md)
 
 Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. [Read more about behaviors](/defender-cloud-apps/behaviors)
 
+
+This advanced hunting table is populated by records from Microsoft Defender for Cloud Apps. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
